Making sport of browser security, hackers topple IE, Safari

Contestants in a high-stakes hacking contest had no trouble toppling the Apple Safari and Microsoft Internet Explorer browsers, proving for a fifth year in a row that no software or application is safe from people with the expertise and motivation to exploit them.

The attacks came on Day One of the Pwn2Own contest, which pays more than $15,000 apiece for exploits that successfully give the attacker full remote access of the targeted machine. Wednesday's event saw hackers take complete control of a fully patched Sony Vaio and MacBook Air by compromising IE and Safari respectively. Google's Chrome browser was also up for grabs, but no one stepped forward to try hacking it.

“Every browser, every operating system, has its own vulnerabilities,” said Chaouki Bekrar, CEO of Vupen Security and the contestant who successfully hacked Safari. “This is what we wanted to demonstrate – that we can create a very reliable exploit for Apple Mac OS and Safari without even crashing the browser.”

Contest rules forbid him from disclosing most technical details behind the vulnerability, but he was permitted to say that it involved what's known as a use-after-free flaw in the Apple browser. He said the exploit used a technique known as return-oriented programming to bypass a security protection known as data execution prevention that is built into many Apple programs.

The hardest part of the exercise was writing fuzzing, debugging, and memory dumping software for Macs.

“On windows, you have everything available on the internet,” he said. “You can download everything you want. In (OS X) there is not even shell code available on the internet.”

After building the tools from scratch, it took him about two weeks to find the bug and set out to exploit it. The result was an attack that reliably commandeers a Mac when Safari visits a website that hosts the malicious code.

“Just after visiting the webpage with the affected version of Safari, we can, for example, launch the calculator or open a shell or do anything else we want,” he said a minute or two after demonstrating the exploit at the contest, which was attended by members of Apple's security team. “We have the same privileges as the user who visited the webpage.”

He said users would have no way of knowing their machines have been compromised. There is no prompt asking for a password. The only way to thwart the attack is to run Safari from an account that has been configured to have limited privileges.

Under competition rules, contestants drew a lottery to determine who was the first to attempt hacking a particular browser. Once a browser was compromised, it was eliminated from the running. Both IE and Safari were hacked on the first try.

“I have an exploit all ready to go, and now it's just sitting in my bag,” said Charlie Miller, a three-time Pwn2Own winner, shortly after Bekrar took this year's prize. “You'd think Apple would be concerned about it.”

Microsoft not left out of the carnage

Not to be left out, IE was equally devastated. Steven Fewer, an independent security researcher and principle of security consultancy Harmony Security, said he also exploited a use-after-free bug in the browser. Microsoft has fortified IE with a security sandbox that isolates it from more sensitive parts of the operating system, so Fewer had to exploit a design flaw in to break out.

“The (sandbox) escape I found was pretty easy, to be honest,” he said. “Surprisingly so.”

In all, he said it took him about six weeks of full-time research to find the bugs and write working exploits for them.

As the contest commenced, there were four contestants signed up to attack Safari, three to attack IE and just one to attack Chrome, which in addition to the $15,000 prize awarded by Pwn2Own sponsor Tipping Point, also fetched $20,000 from Google. The contestant never showed.

Day Two of the contest will turn its attention to smartphone security, with $15,000 prizes to the first person who successfully commandeers a Dell Venue Pro running Windows 7 Mobile, an iPhone 4, a BlackBerry Torch 9800, and a Nexus S running Google's Android. All four platforms have multiple contestants signed up to attack them, although Android hacker Jon Oberheide recently dropped out after killing his own Android vulnerability.

George Hotz, the prolific hacker and jailbreaker who goes by the moniker GeoHot, has also dropped out, evidently because Sony, which is waging a no-hold-barred legal fight against him for unlocking the PlayStation 3 game console, has given him much more pressing things to attend to.

The contest runs through Friday at the CanSecWest security conference in Vancouver. ®